Re: Wierd bugs are cool bugs. (or as halvar would say "deep sea fish are good eatin'!")

[H D Moore <hdm-daily-dave () digitaloffense net>]

Firefox also has fun bugs like this :-) Safari too. And Opera. Try this 
for kicks: use the metasploit firefox_queryinterface exploit against the 
latest version of Safari, looks where it crashes, follow the code back to 
its OSS lair...Browser exploits are so much fun - choose your own return 
address in IE by loading a COM object that ISN'T marked safe for 
scripting - the DLL still gets mapped to its address space.

Nothing quite like an application where you can jump anywhere within a 
32-bit address space and still get code execution 50% of the time. 
Browser bugs are convoluted and painful because of how much of the 
environment is controlled by the user - it doesn't matter who made the 
browser, all it takes is a free'd heap pointer being reused to gain 
another shell. Just because IE is still exploitable doesn't mean that the 
rest of the browsers are safe :0)

-HD



PS. The KJS unicode bug mentioned above probably isn't exploitable, but 
many out-of-memory conditions can be. Check out Gaël Delalleau's CSW05 
talk for some cool tricks. OOM bugs can really suck on x64.




PPS. Go see V for Vendetta. 





PPPS. Latest Firefox -the APPLET tag with an interesting SRC parameter is 
also quite fun - debugging a crash 100 calls deep into the JVM is 
interesting to wrap your brain around. 

On Thursday 16 March 2006 20:50, Moe wrote:
> Well, it gave me a pretty girl picture and a plethora of garbage, all
> followed by "Hello cruel world."   But no crash.   It really pays to
> NOT use IE.